Huge Internet Security Hole Demonstrated Bigger than recent DNS fiasco? Wednesday Aug 27 2008 08:15 EDT Wired News reports on a new vulnerability that could allow troublemakers to intercept traffic on a scale that would make even AT&T and the NSA proud. Two security researchers have demonstrated a new technique to stealthily intercept internet traffic using a vulnerability in the internet routing protocol BGP (Border Gateway Protocol). The tactic, which one hacker claims is bigger than the recent DNS exploit, lets an attacker monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination. |
wentlancYou Can't Fix Dumb.. join:2003-07-30 Maineville, OH |
Old news?Hijacking routing tables is not really a new concept. Muck like ARP table poisoning, MAC spoofing, VTP, etc. Most protocols rely on some level of trust. What sets this apart is then re-forwarding the hijacked traffic back to the original destination. The best way not to get caught is to no make any noise, right? Perhaps monitoring routing tables for AS path changes would be key to picking up this kind of exploit?
cw | |
| | FFH5 Premium Member join:2002-03-03 Tavistock NJ |
FFH5
Premium Member
2008-Aug-27 8:56 am
Re: Old news?said by wentlanc: Perhaps monitoring routing tables for AS path changes would be key to picking up this kind of exploit? cw That can be done, but it is labor intensive and even then likely to not work: A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic's path. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. There are reasons traffic that ordinarily travels one path could suddenly switch to another -- say, if companies with separate ASes merged, or if a natural disaster put one network out of commission and another AS adopted its traffic. On good days, routing paths can remain fairly static. But "when the internet has a bad hair day," Kent said, "the rate of (BGP path) updates goes up by a factor of 200 to 400."
Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said.
"Providers can prevent our attack absolutely 100 percent," Kapela said. "They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive." | |
| | Ignite Premium Member join:2004-03-18 UK |
to wentlanc
Perhaps nothing more interesting than ensuring all your BGP peers are using MD5 authentication would mitigate this. | |
| | | 1 edit |
Re: Old news?This is true, MD5 which many carriers no longer seem to care about because you can just set 1 or 2 hop BGP.
MD5 should always be setup but it is a longer call with the carrier and sometimes a pain. You usually have to email or send the password to them because you cannot read 7j8j$8e%wVG&6G6Ky6jI#8o!LMt over the phone. So it is a little pain so carriers, or more there techs, just try not to encourage it. You have to specifically request it so it is the ISP fault as well.
But these little tricks are usually just bad configuration/setup. The ISPs and carriers can set up a very secure exchange. DNS exploits too, a lot of this just goes to security, do it right the first time.
Laziness and lack of caring, just people doing there job. Tell you what, pay techs what they deserve and get the right ones in there to do the job. It has to do with undercutting by the ISPs and by the carriers.
EDIT: What about we start using a newer version of BGP? We have been stuck on 4 for a long time. Maybe we all move up to BGP6 or something? Developed yet? | |
| | | sporkmedrop the crantini and move it, sister MVM join:2000-07-01 Morristown, NJ |
to Ignite
said by Ignite:Perhaps nothing more interesting than ensuring all your BGP peers are using MD5 authentication would mitigate this. That would do nothing to solve this... | |
|
FFH5 Premium Member join:2002-03-03 Tavistock NJ |
FFH5
Premium Member
2008-Aug-27 8:49 am
Hole can be closed; but it is costly and disruptiveGiven the cost and effort required to close this hole, it may be some time before it is closed. Kent and BBN colleagues developed Secure BGP (SBGP), which would require BGP routers to digitally sign with a private key any prefix advertisement they propagated. An ISP would give peer routers certificates authorizing them to route its traffic; each peer on a route would sign a route advertisement and forward it to the next authorized hop.
"That means that nobody could put themselves into the chain, into the path, unless they had been authorized to do so by the preceding AS router in the path," Kent said.
The drawback to this solution is that current routers lack the memory and processing power to generate and validate signatures. And router vendors have resisted upgrading them because their clients, ISPs, haven't demanded it, due to the cost and man hours involved in swapping out routers. | |
| | |
asdfdfdfdfdfdf
Anon
2008-Aug-27 6:01 pm
Re: Hole can be closed; but it is costly and disruptiveI think you are right. What annoys me though, is when I read things like: quote: who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail."
quote: Stephen Kent, chief scientist for information security at BBN Technologies, who has been working on solutions to fix the issue, said he demonstrated a similar BGP interception privately for the Departments of Defense and Homeland Security a few years ago.
Our government insists that they need backdoors and broad powers to monitor anyone's communications without fussy things like warrants and they talk of dire scenarios like terrorists bringing down our communications infrastructure and plunging us into chaos and and yet this same government can't be bothered to light fires under some asses to make sure resources are devoted to getting this sort of thing fixed. Should make us wonder whether they believe their own breathless rhetoric. | |
| | | cork1958Cork Premium Member join:2000-02-26 |
cork1958
Premium Member
2008-Aug-28 6:47 am
Re: Hole can be closed; but it is costly and disruptivesaid by asdfdfdfdfdfdf :I think you are right. What annoys me though, is when I read things like: quote: who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail."
quote: Stephen Kent, chief scientist for information security at BBN Technologies, who has been working on solutions to fix the issue, said he demonstrated a similar BGP interception privately for the Departments of Defense and Homeland Security a few years ago.
Our government insists that they need backdoors and broad powers to monitor anyone's communications without fussy things like warrants and they talk of dire scenarios like terrorists bringing down our communications infrastructure and plunging us into chaos and and yet this same government can't be bothered to light fires under some asses to make sure resources are devoted to getting this sort of thing fixed. Should make us wonder whether they believe their own breathless rhetoric. Does ANYBODY believe their breathless rhetoric? | |
|
fcisler Premium Member join:2004-06-14 Riverhead, NY |
fcisler
Premium Member
2008-Aug-27 9:14 am
Trusted NetworksWouldn't you have to be somewhere INSIDE a DC? More specifically, within a trusted route/network? I'd find it an extremely bad practice to accept any BGP routes that I didn't trust....
Don't most ISP's filter BGP before it reaches a client's subnet? Unless they are accepting BGP routes from a client, why not block them? seems rather simple....
This seems like it could be a bigger hole - but unlike DNS, I would venture to say that 75% of most hosts wouldn't have the connectivity to do this. | |
| | |
Re: Trusted NetworksOf course governments will. Granted, in America it's easier just to ask. | |
|
|
Shamayim
Premium Member
2008-Aug-27 10:01 am
All together now (1... 2... 3..."So? If we're not doing anything wrong, what have we got to hide?"
/sarcasm | |
| MoracCat god join:2001-08-30 Riverside, NJ 1 edit |
Morac
Member
2008-Aug-27 10:33 am
So encrypt your trafficIsn't the assumption that if your traffic in not encrypted than pretty much anyone can read it?
Granted in this case, that someone can be anywhere in the world instead of locally to you, but still....
So today's lesson is if you don't want people to read your data, encrypt it. | |
| | TamaraBQuestion The Current Paradigm Premium Member join:2000-11-08 Da Bronx ·Verizon FiOS Ubiquiti NSM5 Synology RT2600ac Apple AirPort Extreme (2013)
|
TamaraB
Premium Member
2008-Aug-27 2:25 pm
Re: So encrypt your trafficsaid by Morac: ... you don't want people to read your data, encrypt it. Indeed! Why is https NOT the standard for browsing? Why is encrypted email not the standard? Powerful tools currently exist to protect our privacy, and are available to EVERYONE, why are they not used? Why are they NOT the default? Bob | |
| | | |
Re: So encrypt your trafficI'm guessing a couple reasons may be server load, connections load (i think more packets have to sent back and forth to establish a ssl connection), and maybe bandwidth. encryption and decryption is fairly computational intense operation. i suppose for email, you'd need a client that everyone has that is capable of handling encryption and make it SEAMLESS to the end user when operating (think of going to https site) maybe a someone more knowledgeable in computer/network/internet security could comment what i've stated. | |
| | | | |
meta
Member
2008-Aug-27 3:19 pm
Re: So encrypt your trafficThese days with ssl offload and crypto accel cards, theres no excuse for claiming its not done because of a performance issue. I run it everywhere on my equipment. | |
| | | | | |
Re: So encrypt your trafficWhen you made this post, was it encrypted the whole way?
You cannot encrypt everything unless everyone else wants to and agrees with your method. DSLReports would have horrible server load trying to run SSL between them and the readers.
It is an excuse. Just because you can have a crypto card in a cisco router, or whatever, for maybe $500 doing it in a "real" server situation is different. You are the client, not the server.
Costs is the excuse, not the fact the technology does not exists. | |
|
| keyboard5684 |
to Morac
Well, re-routing traffic is the problem. The traffic needs to go through something like a transparent device somewhere meaning a long route. I like my traffic to go the quickest route. | |
| | DryvlyneFar Beyond Driven Premium Member join:2004-08-30 Newark, OH |
to Morac
I think your missing an important point... quote: The tactic, which one hacker claims is bigger than the recent DNS exploit, lets an attacker monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.
This would undoubtedly inspire all sorts of new phishing scams and attempted malware "drive-bys". The real problem with the Internet, in general, is that it was built upon the presumed trust between 2 or more machines. I just don't understand how the "fathers" of the Internet couldn't have predicted that it would somehow be abused and that proper precautions should have been instituted in the first place! | |
| | | MoracCat god join:2001-08-30 Riverside, NJ 2 edits |
Morac
Member
2008-Aug-27 5:56 pm
Re: So encrypt your trafficsaid by Dryvlyne:I think your missing an important point... quote: The tactic, which one hacker claims is bigger than the recent DNS exploit, lets an attacker monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.
You emphasized the wrong part of that sentence. I fixed it for you. said by Dryvlyne:The real problem with the Internet, in general, is that it was built upon the presumed trust between 2 or more machines. I just don't understand how the "fathers" of the Internet couldn't have predicted that it would somehow be abused and that proper precautions should have been instituted in the first place! You do realize that the Internet was invented before most people even had a home computer. Back then there was only a handful of computers connected and all were controlled by either Government entities or Colleges. Security wasn't really an issue back then. | |
| | | | |
Re: So encrypt your trafficExactly, it was "turned over" and basically bloomed from that. The government turns over a lot of technology and it is up to those that use it to do what they wish with it.
In this case, the internet, there is not a central "advisor" on this, nor should there be. The fathers of the internet have nothing to do with this problem, people do. Stop using the internet, your fu%$ing it up.
Really, the reason behind projects like Internet2 and others is to build a new "internet". A new set of standards everyone will agree to work with. Very hard to do since we cannot agree on anything (and we being everyone, every country, the world, cannot agree). BGP is easy to fix, that really is no concern.
The "fathers", if I remember correctly, did realize it would be abused. When they let the technology "go", basically made it public, it was not up to them to secure it. BGP was a protocol that came way after the "internet was invented", it was a dynamic protocol to allow efficient routing and link control. It works great. The people to "blame" if it must be are carriers and the people using BGP, they are not using it correctly. I do not even know who came up with BGP, I think Cisco but I may be wrong (at least BGP 3, 4 who ?) | |
|
SpaethCoDigital Plumber MVM join:2001-04-21 Minneapolis, MN |
The DNS exploit is bigger...in that any kid with a script can trigger it, and the investment cost to pull off the scam is essentially $0. To pull this off you need a lot of access, and you need a considerable investment in infrastructure to be in a position to pull it off. (you need the routing hardware, and to get a carrier circuit with BGP to start you need to prove you own a netblock ($$ to ARIN), you need to prove you own an ASN ($$ to ARIN), and you're going to need to sign contracts for connectivity with a hefty up-front install fee)
1) You need to be able to source a more specific route from a network you don't own through your upstream provider. Many backbone providers strictly enforce which routes you can originat, so you'd have to find one that will play ball.
2) Even if you get the taffic to successfully come to you, you need to overcome the blackhole effect that you create to forward the traffic on to the final destination. (ie, you can't just send it back upstream or the destination traffic will just come right back to you)
The limited exposure would be spoof a network on Carrier A by relaying a more specific route into Carrier C but setting community tags so that it would not be redistributed to its peers. You can then get the customers of Carrier C to forward the traffic to you, and you can dump the traffic out onto Carrier A where it will reach its final destination. | |
| | sporkmedrop the crantini and move it, sister MVM join:2000-07-01 Morristown, NJ |
Re: The DNS exploit is bigger...said by SpaethCo:To pull this off you need a lot of access Define "access". said by SpaethCo: and you need a considerable investment in infrastructure PC hardware and OpenBGP/Zebra/Quagga said by SpaethCo:and to get a carrier circuit with BGP "carrier circuit"? No, when you place your order, note that you'll be running BGP. It's not even an extra charge. said by SpaethCo: to start you need to prove you own a netblock ($$ to ARIN) Or that you want to announce your block from another ISP said by SpaethCo: you need to prove you own an ASN ($$ to ARIN) I have never needed to prove this. Do you consider Level3 a "major" carrier? said by SpaethCo: and you're going to need to sign contracts for connectivity with a hefty up-front install fee One-page MSA, $750 NRC, less if you "commit" to more than one year. said by SpaethCo:1) You need to be able to source a more specific route from a network you don't own through your upstream provider. Many backbone providers strictly enforce which routes you can originat, so you'd have to find one that will play ball. The ones that take money from customers will "play ball". said by SpaethCo:2) Even if you get the taffic to successfully come to you, you need to overcome the blackhole effect that you create to forward the traffic on to the final destination. (ie, you can't just send it back upstream or the destination traffic will just come right back to you) I can ask Alex "pretty please" to explain on the mailing list... | |
| | | SpaethCoDigital Plumber MVM join:2001-04-21 Minneapolis, MN 1 edit |
Re: The DNS exploit is bigger...My point about access is you're not going to pull this off at an office or residence without forking over a ridiculous amount of capital for a tail circuit.
If you do this in a colo space, you're still going to have a space commit if you're leasing a rack, plus up-front cross-connect fees to patch yourself over to another carrier. Most places don't let you bring in equipment and start requesting cross connects unless you are going to agree to some sort of term.
I work for a company that has grown through acquisition, and we've had Verizon, Level(3), Qwest, ATT, and Sprint all stop accepting one of our netblock advertisements at one point or another because we rolled an acquired company's netblock advertisement under one of our main AS advertisements and they got concerned that the netblock owner didn't match our company name. The company I work for isn't small, we control 3 /16s + a few scraps of public address space and have Internet points of presence in 16 countries.
In any case, my point is that the DNS exploit is essentially free and has high payout potential. This requires a fair amount of start-up capital, some reasonable fake identities if you want to get out of your contract obligations, and your window of success is still limited. The risk:reward ratio is substantially lower here. | |
| | | | |
isp eh
Anon
2008-Aug-28 9:27 am
Re: The DNS exploit is bigger...totally agree.
anyway, a company can easily re-route your data by advertising itself (typically a typo) as the owner of a more specific ip block than you are advertising. | |
|
| |
|
|